December 2014 - Posts

As 2014 winds down, I was really under the belief that data breaches caused by the loss or theft of unencrypted laptops were really down – I hadn't come across too many stories involving them over the past year, relatively speaking. I had attributed this turn of events to possibly the increased use of disk encryption software like AlertBoot's managed laptop encryption services. Our company had seen a phenomenal uptick of new clients over the past 12 months.

And then, I return from my Christmas festivities to find 3 stories at phiprivacy.net and companion site databreaches.net involving unencrypted laptops, making me question if it was all just an illusion.

Physicians Skin & Weight Centers, Inc

An employee's car was broken into, and a laptop computer and external hard drive were stolen. The breached data included:

Images taken during the course of their treatment with their first and/or last name; and some patients’ name on a company invoice. Also, a limited number of patients had banking information including full routing numbers, account numbers, and/or credit card numbers; and/or a copy of our financing application detailing some patients’ social security number, date of birth, mailing address, email address, income, rent payment, and employer’s name potentially exposed.

We can only assume that, based on the reference to "patients," "treatment," and the name of the organization, that Physicians Skin & Weight Centers is a HIPAA covered entity. Why the employee's laptop was not protected with HIPAA-grade encryption, then, is something of a mystery.

It certainly would have saved them a lot of grief, seeing how there are legal protections are afforded if encryption was used.

California CPA

In what reads like a personal letter to clients, a CPA admits to losing his clients' data and triggering a data breach:

It is with a heavy heart that I bring you this news. On Friday December 19, 2014, my vehicle was broken into. My briefcase, laptop (password protected) and a flash drive containing confidential client information was stolen. The car was locked and parked on a well-lit commercial area in front of a busy restaurant.

While it's nice that the machine was password-protected, the fact that a data breach notification letter is being sent is proof that password protection is worth nearly squat when it comes to data security. I make it a point to point out how easy it is to go around so-called "protection" each year, and I've already posted a number of articles throughout 2014 to that effect.

Still, perhaps the CPA ought to be given a break. It sounds like his business is a sole proprietorship, and if multi-billion dollar companies cannot do it right, how is one person, whose training is in accounting and finance, supposed to knowledgably oversee all IT aspects affecting his business? For all we know, he honestly thinks that password protection is the same as encryption. They both take passwords, right?

DJO Global

While parked at a coffee shop in Roseville, Minnesota, someone smashed open the backseat window of our consultant’s car. Among other things in the car, our consultant’s laptop was stolen.

Again, based on the information above, it's hard not to assume we're dealing with another HIPAA covered-entity. Furthermore, seeing how the consultant was at the heart of this data breach, we're dealing with what the HIPAA regulations call a "business associate" (BA), outside contractors that covered-entities hire to do work they can't (or won't) do. Industry surveys show that BAs tend to account for at least a third of all HIPAA data breaches.

Which is why BAs are now held to pretty much the same data security standards as covered entities when it comes to protecting data. Plus, covered entities are held accountable for it, too.

Cars are Not Safes

There's a reason why banks use armored cars to transport bonds, cash, and other valuables from point A to point B: your average Toyota is not break-proof. If someone's walking by and he fancies your GPS unit, radio, child seat, what have you, there is very little stopping him (or her) from breaking into your car. Hell, it's easier to get into your old high school locker.

I mean, there are significant portions made of glass when it comes to a car.

At some point, US organizations that became the victims of a data breach started offering credit and other financial monitoring services for free. These were meant, among other things, as an apology to customers, patients, clients, employees, what have you for the failure to protect sensitive data. New research seems to suggest that this could leave companies more exposed to dissatisfaction. The same shows that a better approach may be to offer, if not monetary, some sort of palpable benefit.

Raising Suspicions

In one of the most dumbfounding conclusions I have read, a researcher at the University of Arkansas studied two approaches to compensating individual victims of a data breach: offering a 10% discount on purchases and free credit monitoring. The former was received favorably; the latter not so much.

On the face of it, such conclusions are understandable: free credit monitoring is, for all intents and purposes, useless. It won't prevent fraudulent use of your personal info (you'd need a credit freeze for that); notification on any irregularities is generally slow; and it's your right to get a free one each year. A 10% discount, on the other hand, is something you don't get every day. It's something you can bank on.

But it's not this line of thinking that makes the 10% discount a better offer. The reason why the discount wins over the credit monitoring is that,

Many customers disliked this strategy, regarding extended periods of free credit monitoring as overcompensation and risking the perception that there was more to the breach than the company communicated.

One wonders if a 20% discount would have also culminated in the "overcompensation" category, and raised suspicions that things are not quite right. And, what would happen at a 0% discount? Would it strongly imply that nothing is wrong?

Northwestern Memorial HealthCare (NHMC) – which counts as affiliates Northwestern Lake Forest Hospital, Northwestern Memorial Hospital, and Northwestern Medical Group – notified approximately 2,800 people of a data breach. A laptop computer that was not protected with HIPAA-strength encryption was stolen from an employee's vehicle. According to chicagotribune.com, the hospital group took more than 2 months to notify patients, which puts them in breach of the HIPAA/HITECH Breach Notification Rule.

Password Protection

Based on the description of which hospitals comprise the Northwestern Memorial Healthcare group, it sounds like we're talking of an extensive organization. A big medical organization that cannot afford to be found lax when it comes to patient data security… and a look at their 2014 financials confirms it: with over $700 million total current assets (and $5 billion in total assets), it's kind of hard to think of NHMC as a mom-and-pop store.

Which is why the words "password protected" really shouldn't be keywords that pop out when an article is being written about this medical covered-entity's data security practices. Granted, password protection has its uses – but not when it comes to stolen or lost laptops with PHI. To begin with, getting past password protection is easier than you think (and easier to find on the internet than you think).

Second, password protection does not afford legal protections (again, probably because it doesn't offer real, physical protection) that can be very beneficial for an organization that is constantly facing the risk of a lawsuit, which is an oft-discussed professional hazard in the medical field. At least in the US.

Last but not least, and an extension of the above, it can also lead to regulatory bodies to spring into action.

Obviously, password-protection is not something you want to boast about. "Yet unencrypted" was this lost laptop, according to chicagotribune.com. Not good, when you consider that,

60 Calendar Days

Another point the venerated newspaper brought to light is that "hospital officials waited nearly two months to release information about the breach"…although in the "sharelines" section at the top of the article, it is noted that "Hospital group waited more than 2 months to notify patients about stolen computer containing private data" (my emphasis).

Which one is it? My own calculation shows that it's the former, that it took less than 60 days. But I'd have been willing to bet that this was the case even without bothering to make a calculation. Why?

Because HIPAA/HITECH regulations specify that data breach notifications must be made within 60 calendar days of the breach's discovery (there are a handful of exceptions). Otherwise, you have another breach of HIPAA – the loss of sensitive data plus the non-notification to the patients. And as case studies over the last four years show, you don't want to be in a position where you're breaking HIPAA laws left and right.

And a $5 billion concern knows this – and has lawyers to remind them of the fact.

Borderless Encryption Management

Chances are that the covered-entity's policies require crypto-safety, either because it's a laptop that regularly stores PHI or because it is a laptop, period. So, considering the above, how is it that this particular laptop was not encrypted?

It could be that IT is decentralized among the three hospitals, meaning that problems arise with personnel transfers; reusing, retiring, and recycling inventory; etc. Or perhaps IT is centralized, and the logistics of keeping track of everything is close to impossible. Or perhaps this was a personal computer belonging to the employee. Your guess is as good as mine.

Chances are we will find out a couple of years from now, when the HHS/OCR finishes their study into the situation.

As the year winds down, I couldn't help but look over some of the major data breaches of 2014. Sure, we've got the behemoth known as the Sony hack going on right now, but – aside from the juicy Hollyweird gossip we're getting, and the international intrigue surrounding the hack– it's as of yet pretty hard to see what kind of real effect it's going to have in the long run.

Which brings us to one of the data breaches that stands out from 2013, but is still shining a light in 2014: the Maricopa County College hack. It is the biggest data breach in the US education sector to date. More interesting, though, is that the district is being very open with the dollar figures surrounding the aftermath of the hack.

$26 Million, with the Bulk Going to Lawyers

According to databreaches.net, MCCCD has reserved $26 million for cleaning up the 2013 hack, with approximately $16.6 million spent so far:

$19.9 million went to lawyers (students filed lawsuits).

$7.5 million are reserved for IT consulting and repair.

$7 million were set aside for notification and credit monitoring services ($3 million). MCCCD was billed for $36,286 (that's not a typo).

$2.2 million are going to "services."

In addition, it was revealed that insurers paid $867,000 of the costs, although MCCCD is pushing for more payments.

Encryption and Other Security Measures Sure Are Cheap

When you see the figures above, you can't help but think that perhaps IT security costs are pretty cheap. I mean, sure, depending on what you're looking to do, if could cost thousands of dollars to begin with. And with IT security, the sky really is the limit. But isn't it money better spent than giving it to lawyers? Or spending millions on sending letters of apology via US postal mail?

A Little Shocking

I find a couple of things shocking. First, the fact that almost no one signed up for credit monitoring services. Granted, they don't really do much, but it's better than one day waking up and finding that your SSN has been misused, or that your bank account has been wiped out, etc. To find that so little faith is put in it that MCCCD is using only 1.2% of the money they reserved is pretty shocking. If I'm not wrong, the (quite limited) past figures have shown the rates to be closer to the 10%...which is not really saying much, but still.

The other shocking thing: insurance doesn't really make up for bad data security. Well, maybe it's not that shocking. But it's pretty shocking that even when they do, it's really not enough to cover the expenses stemming from a data breach.

As medical organizations become better and better at protecting sensitive data – due largely to HIPAA regulations that "strongly encourage" the use of medical data security tools like AlertBoot's managed disk encryption for laptops – we are beginning to see the rise of "tail-end" data breach vectors, like the one Virginia Commonwealth University Health System (VCUHS) revealed recently.

According to VCUHS, the covered entity experienced a data breach when a well-meaning employee donated used CDs to children's art projects, a far cry from the ever-popular and uncomfortably regular "laptop was stolen from a vehicle" story.

The Long Tail

One of the best-selling books in the 2000s was "The Long Tail," a look into how niches will become a force to be reckoned with in the new economy. Despite the splash that it made, it's actually an old theory of sorts that also goes by the names of Pareto Analysis, the Power Law, and the 80/20 Rule, among others.

The gist of it is, a handful of factors account for approximately 80% of "something" and the rest account for 20%. For example, if a company has a customer service center, chances are that an analysis of their logged data will show that less than 5 issues account for 80% of the complaints, whereas the rest of the complaints account for 20%. The smart move is to take care of the 5 issues or so. Once these are taken care of, the numbers are crunched again and it will show which issues account for 80% of the complaints, which are then resolved. Then the process is started again. Of course, for the best selling book, such recursive methods were not part of the formula.

The long and the short of the above observation is that, when it comes to non-internet based data breaches, we can expect to see more and more instances of PHI breaches involving outliers, such as VCUHS's. The loss, theft, and misplacement of CDs full of medical information can be "predicted," in the sense that you know it's going to happen at some point. An empirical number (admittedly based on past incidences, which don't necessarily guarantee future occurrences) can be assigned; calculations can be made; risk exposure can be minimized.

But the how and why? That's trickier to account for. The question arises, though, is that important? The answer is "yes" if an organization doesn't make it a policy to encrypt every single CD. If they selectively protect the CDs, based on the likelihood of them being involved in a data breach, they will fail to account for those unknown unknowns, like VCHUS's philanthropy gone wrong.

According to some of the latest findings, the average cost of a lost laptop is over $49,000. In US dollars. Actually, there needs to be an asterisk placed after the figure: the cost is based on the assumption that the lost computer was not protected with data security tools like AlertBoot's managed disk encryption software (plus the further assumption that local, state, and national regulations provide safe harbor if sensitive data is encrypted).

Intel's Cost of a Lost Laptop

Intel sponsored a survey that saw the participation of US 329 organizations that had employee counts between 1,000 and 75,000. The survey showed that over a 12-month period, 86,455 laptops were lost in one way or another. That's a whopping 263 laptops per organization, on average.

Even more eye-popping was the cost associated with each laptop: an average of $49,246. The figure includes the cost of replacing the laptops, of course, but it accounted for the smallest portion of the total amount. Other costs include:

This is (yet another) wakeup call for companies that are not using encryption software on their laptops because they think that the cost of implementing such a solution is "too expensive."

As the saying goes, an ounce of prevention is worth a pound of cure. Or, in this case, seeing how protecting a laptop against the eventuality of a data breach is less than $100/year per machine, an ounce of prevention is worth 30 pounds of cure (whatever that may mean).

Other Stats

In addition to the above, the report had some other eye-catching findings, as reported by livetradingnews.com:

Each organization recovered 12 out of the 263 lost laptops.

76% of laptops went missing outside of the workplace.

Nearly half of all laptops had confidential data but encryption was used on only 30% of laptops.

7% of laptops in organizations will be lost or stolen.

Consider that last one. 7% of all laptops in an organization will go missing. With an average cost of approximately $49,000 per loss, it means that a company that has at least 15 laptops can expect to kiss away at least 50-grand each year to data breach-related concerns.

Sounds preposterous, but like an actuarial table, you can bet that the numbers work out in the long run.